TOM-Skype Q & A

I have been getting a lot of questions and feedback on the “Breaching Trust” report. I’ll try to post more details and answer questions. Here are some of the common questions people have been asking.

How were you able to determine that messages containing keywords were being uploaded to a web server? How did you find and decrypt the messages?

Wireshark. Every time I typed the word “fuck” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.

Is “normal” Skype affected?

No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.

What is TOM-Skype and what is the difference between it and Skype?

If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s version most Chinese people will use.

In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.

What is Skype saying, have they said anything to you?

I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the
statements they’ve made to reporters.

Jennifer Caukin, an eBay spokeswoman, said, “The security and privacy of our users is very important to Skype.” But the company spoke to the accessibility of the messages, not their monitoring. “The security breach does not affect Skype’s core technology or functionality,” she said. “It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours.” EBay had no comment on the monitoring.

Jennifer Caukin, a spokeswoman for Skype, said in an emailed statement that the security problem had been remedied as a result of the new report. The idea that China’s government “might be monitoring communications in and out of the country shouldn’t surprise anyone,” Ms. Caukin said. “Nevertheless, we were very concerned to hear about the apparent security issue” that enabled people to view user information, and “we are pleased that, once we informed TOM about it, that they were able to fix the flaw.”

In a separate statement, TOM Group said that “as a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”

The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.

This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.

Some companies, such as Google, has stated that while the censor some search results they “will not maintain on Chinese soil any services, like email, that involve personal or confidential data.”

In this case Skype appears to have delegated all of the censorship and surveillance responsibilities to TOM – I don’t think they read Rebecca’s paper; they should. While examining the Yahoo! China – Shi Tao case she warned:

Companies that choose to ignore the broader human rights implications of their business practices are gambling with their long-term global reputations as trustworthy conduits or repositories of people’s personal communications and information.

Are the “key words” censored? Or are the messages just logged?

The only key word that I could use to trigger the content filter (the messages is not displayed to the user) and have logged in the content filter logs (uploaded to the tom-skype server) was “fuck” (and variations like f*ck). If a message contains the word “fuck” it is not displayed to the user (the entire message is not displayed) and the entire message is uploaded and logged.

In the same content filter logs I found that the majority of the logged messages did not contain obscenities, like fuck. However, many of the messages contained words like “Communist Party”, I counted the number of logged messages that contained these words, from that I identified what I think are key words. It is unclear if these messages are just logged, or are censored and logged.

Post questions in the comments and I’ll try to answer them :)

12 comments.

[…] on the controversy over monitoring users at Skype’s China joint venture, including an ongoing updated Q&A from the Skype report author (h/t Rconversation) and a more detailed response from Skype’s […]

Hi Brendan, thanks for the q. I heavily relied on machine translation. While its is possible to get a sense of the message it would be, as I noted in the report, far better to re-parse the logs matching Chinese characters. I intend to do this at some point. That’s why I used the key words to characterize the content of the messages.

In short, there were very short messages that contained “sensitive words” and not much else, and they were frequently logged. I parsed the log files to check for the frequency, from that I inferred what triggered the messaged to be logged.

Skype publicly characterized the type of content the filtering list contains, what I found matches their description.

That said, there were messages that appeared to be innocuous and very short, a “:)” smiley face for example. That cannot be logged for everyone leading me to believe that there are criteria other than key words in messages (usernames for example) that could trigger filtering and/or logging of the message.

There is an encrypted keyfile that appears to contain the trigger words, 110 at last count. Some of these are hardcoded into the tom-skype binary, so even if you delete the keyfile and block it from being downloaded by the client, you can still trigger the filtering/logging. I am working on decrypting this file.

The Ebay.com USA sites allows Hong Kong sellers to list their products. I have a US skype account. If I engage (or vice versa) with a seller based in Hong Kong, how do I know if they are using a Tom Skype system. Couldn’t this example potentially subject my conversations to logging or censoring?

Also, while this is considered a security breach, what happens when Ebay itself censors & snoops on its users? When ebay revised their user agreement last year there was discussion that this would open up ebays ability to screen messages through their P2P messaging system. I have experienced dropped non-deliverable messages by ebay based on certain types of conversations. And I had verified it by messaging my friends who also are on the ebay site. How is ebays censorship of our communications any different? If the exploit exists, how would we know if ebay is doing the same to monitor buyer and seller conversations. Do we take them for their word

I think Skype should develop function that indicates to the Skype user if they are talking to a TOM-Skype user.

I have used Skype in China for a number of years and had to reinstall Skype and was redirected to TOM-Skype. I was immediately suspicious and deleted the program and instead used Google through TOR to get Skype.

@Good idea – as Josh Silverman said in his blog post, we’re working on ways of making it clear to users that their messages may be monitored – we owe it to you to make things as transparent as possible.

Agreed. Knowing that you are communicating with a TOM user is a good idea. I have two additional recommendations. The first is for Skype to get involved with the multi-stakeholder initiative (see http://cyber.law.harvard.edu/research/principles ) and the second is to consider notifying users (as does Google, Yahoo, Microsoft and the Chinese search engine Baidu) when something is censored.

[…] This was discovered by a University of Toronto researcher in relatively simple fashion — by checking out what happened when he used the f-word in a message. (To be clear, this is a joint venture between Chinese phone […]